Comments

LarrySeptember 6, 2013 3:12 PM

While you are accurate about EU data practices, we in Canada have similar restrictive laws in place which govern the use of personal information by either the government or the private sector (PIPEDA) so there are examples much closer to home - which work pretty well - from a country with a much more similar legal system than the EU. The U.S. needs to learn more about Canadian privacy practices.

NobodySpecialSeptember 6, 2013 3:16 PM

@Larry so the US claim that the NSA isn't breaking the law because it is defending America and anything that defends America must be lawful.

Canada and the UK have strict laws on government use of data - which are totally ignored by the security services, secure in the knowledge that no civil servant or politician would ever question them.

swedeSeptember 6, 2013 3:40 PM

This issue that...
A) country X has laws "guaranteeing privacy", and yet
B) the government intercepts what-ever they like, and say that it is fully legal

....happens in Europe too (and, I would not be surprised, Canada as well). A good example is this current issue in Sweden that was brought up by Duncan Campbell (a UK journalist). According to the Campbell, Sweden has been a close partner of both NSA and GCHQ.


OdysseySeptember 6, 2013 3:56 PM

Bruce

Why hasn't TEMPEST come in the picture? Sure dominating the internet and airwaves is enticing, however because we as a society have changed to DC from AC, isn't it easier to read output signal with less interference? I'm not sure if propagation loss still makes it unfeasable, but we don't have any say on the power we receive. Are energy companies in on this as well?

John SchillingSeptember 6, 2013 4:22 PM

@Odyssey:

I'm not clear on what you mean by society having "changed to DC from AC"; the partial adoption of HVDC for long-distance power transmission seems unlikely to have much effect when local power transmission is still predominantly AC.

In any event, far more significant than AC/DC is the change from CRT to LCD. The main lesson of Tempest is not that "they" can by arcane means fathom everything that goes on inside a computer from a distance, but that taking a sophisticated and efficient piece of digital electronics and running the output through a modulated electron beam in vacuum is a ridiculously noisy kludge.

That said, the adoption of wireless keyboards (and just about everything else) introduces new vulnerabilities, so TEMPEST isn't wholly irrelevant. But it will probably never again be as important as it was in the days of ubiquitous CRTs.

Clive RobinsonSeptember 6, 2013 5:10 PM

@ John Schilling,

    That said, the adoption of wireless keyboards (and just about everything else) introduces new vulnerabilities, so TEMPEST isn't wholly irrelevant. But it will probably never again be as important as it was in the days of ubiquitous CRTs.

Err no EmSec is rather more important these days than most people think.

Back in the "good old days" TEMPEST was about finding and using "compromising eminations" from your targets electronics. EMC filtering initialy put paid to that but it actually became quite effective again when far eastern manufactures switched from using expensive passive filtering components to almost zero cost spread spectrum techniques to meat the EMC emmissions masks.

However things have moved on a bit, you may be aware of "fault injection" techniques where baby EMP discharges are used to make CPU's jump into different operating states?

And you may have read about some basic active EmSec experiments by a couple of Cambridge labs students who sent an unmodulated EM carrier at a TRNG and changed it's entropy from ~2^32 to less than 2^8...

Well you can combine both attacks with a modulated EM signals of suitable levels (10v/m) it causes the CPU to jump in the same or similar way to a directly applied fault injection.

Thus you can inject a fault into a system from across the street if you so wish...

The open academic community has realy neglected this area of research which is a shame, because as I found out conducting my own experiments on electronic wallets and pocket gambling machines in the 1980s it can be a very powerfull attack vector...

David LeppikSeptember 6, 2013 5:12 PM

Bruce: Speaking of Minnesota, I wonder if you've seen the book about Snowden by fellow Minnesotan Nancy Carlson.


Having read it over and over, every time I hear a headline about the NSA these days, I immediately visualize the cover of that book.

OdysseySeptember 6, 2013 7:11 PM

@John

I may have made an incorrect point when I meant about changing from AC to DC. My apologies. What I was really trying to get at was the new powerline adapters that you plug into your wall to create a private hub-based network. I'm assuming these devices somehow modulate the random electrical fluctuations to create a more stable carrier signal for transmission of binary information over electricity.

BNW

name.withheld.for.obvious.reasonsSeptember 6, 2013 7:48 PM

@ Clive Robinson

I can tell of a time in the 90's into the year 2005, i had a chance to participate in a competitive grant on EMF-based electronic disrupters. Our competition was a major defense contractor and we were a small 10 person shop. Did several demonstrations and then the final "figure of merit" standoff was held in a remote location. Our equipment shipped in the back of a pickup truck and theirs came on a rail car.

The device demonstrated by the large corporation did meet the figure of merit, but, they extrapolated the integration of the series and the resultant doublelet by compensating for the axial d-dot cable "losses". In other words the computed value was taken as a reference from the cable losses. They lied, but they were awarded the contract. This is not unlike the non-functioning bomb detector.

Funny thing is we solved a problem that changed the first order components in an interesting (non-linear) way that is not well understood (at least we're not sayin'). There is some folklore on the subject and I believed it was a deliberate disinformation campaign. After a successful test in Aberdeen the message probably got out that our little garage device could make the multi trillion dollar investment in FCS a huge waste of money. I guess we HAD to go away.

Bauke Jan DoumaSeptember 7, 2013 4:55 PM

Say Bruce,

Aside from new engineering inititatives, should there also be an initiative to create
a (monetery?) incentive for whistleblowers to step forward?

I think we cannot let whistleblowers' programs be managed by the gov anymore,
as evidenced by the lowlifes in politics calling for the removal from society of
Snowden. We need an intelligent program to create highly lucrative 'awards'
for WB's -- and, as goes without saying, nigh profile reprimands for hoaxsters.

A continuous war will be waged of those in power against the people, notwithstanding
all the dumb rhetoric about 'aimed at terrorism' (does Obama think we -- esp. here
in Europe-- are really as dumb as he sees himself apparently?)

In light of this continuous war on 'THE PEOLE', isn't such a whistlblower progam,
one that cannot be made a travesty of by those good old loudmouths and hairdoes
of the big media, who think of themselves as true patriots, isn't such a proigram a
sine qua non in the objective of the engineering/cryptography effort, that is to say,
they share a deeper and quite obvious goal: that no gov agency shall be silently
above the law?

Thanks.

Bauke Jan Douma
The Netherlands


BuckSeptember 7, 2013 10:31 PM

@Clive & name.withheld

Please do elaborate! Could you recommended any beginners' courses on EmSec?

name.withheld.for.obvious.reasonsSeptember 9, 2013 9:36 AM

@ Buck -- Try a few of these
AARL Handbook
High Voltage Engineering Handbook
References to Marx Generators
And any number of SPIE publications, variations of interest include UWB Radar or HERF.
None of these sources are problematic--unless you are looking for them via google, yahoo, bing, ask, or your local librarian (oh, that might be safe).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..